HQ/EMEAFind out how we can help your business
A surge of FakeBat malware infection due to an ongoing malvertising campaign targets users searching for popular software solutions.
Based on reports, these attacks are opportunistic and aimed at customers looking for popular business software. Moreover, the infection process includes a trojanised MSIX installer that runs a PowerShell script to deploy a secondary payload.
FakeBat is malware that has strong ties to a threat actor named Eugenfest. In addition to this threat, Google’s threat intelligence team tracks the malware NUMOZYLOD and the Malware-as-a-Service (MaaS) operation credited to UNC4536.
The malware operation that propagates the loader virus uses drive-by download tactics to redirect users looking for popular software to fraudulent and impersonated websites with malicious MSI installers.
The researchers noted that various strains, such as IcedID, RedLine Stealer, Lumma Stealer, Carbanak, and SectopRAT (aka ArechClient2), are among the malware families distributed by FakeBat.
The FakeBat operators use malvertisement to spread the malware loader.
According to investigations, UNC4536, the FakeBat malware operator, uses malvertising to spread trojanized MSIX installs that pose as popular software such as Steam, Zoom, KeePass, Notion, and Brave.
These attackers upload these trojanized MSIX installers to websites that appear to be reputable software hosting sites, tricking people into downloading them. Researchers stated that this campaign sets itself apart from other malvertising campaigns since it uses MSIX installers to masquerade well-known software platforms.
Additionally, these installers can run a script before opening the primary application via a configuration named startScript.
The campaign’s initial study shows that UNC4536 is practically a malware distributor. FakeBat is a vector for next-stage payloads for its commercial partners, like the FIN7 threat group.
On the other hand, NUMOZYLOD, the primary malware that FakeBat deploys in this malvertising campaign, can collect system information such as the installed OS, anti-virus software, and domain joined.
In some instances, it collects the host’s public IPv4 and IPv6 addresses and sends this information to an attacker-controlled C2 server. It also generates a shortcut (.lnk) in the StartUp folder for persistence.
This new revelation about the new malvertising campaign shows how threat actors have upgraded their tactics to make their latest operations more efficient in infecting users. Therefore, users should be more cautious when downloading software solutions, especially if installing simple applications becomes complicated.
